REM: Visualizing the Ripple Effect on Dependencies Using Metrics of Health

In recent years, free and open source software (FOSS) components have become common dependencies in the development of software, both open source and proprietary. As the complexity of software increases, so does the number of components they depend upon; in addition, components are also depending on other components. Thus, their dependency graphs are growing in size and complexity. One of the current challenges in software development is that it is not trivial to know the full dependency graph of an application. Developers are usually aware of the direct dependencies their application requires, but might not be fully aware of the dependencies that those dependencies require (the transitive dependencies). Unfortunately, transitive dependencies can break any software application; therefore, project developers need tools, methods and visualizations to inspect the health of these transitive dependencies and their potential impact.In this work, we propose the Ripple Effect of Metrics (REM) dependency graphs, a visualization of dependency graphs that leverages metrics of the health of dependencies. The two main features of REM dependency graph are: first, to display, and potentially summarize, the full dependency graph of an application based on the health of each of its dependencies; and second, to evaluate the ripple effect of potentially risky dependencies on the rest of the dependency graph. The REM helps application developers inspect the health of all of its dependencies, and also the impact that some of these dependencies might have. By showcasing two examples of popular NPM JavaScript application, we demonstrate that the combination of the ripple effect on the dependency graph using health metrics activity can be beneficial to developers. The advantages of REM graphs are: 1) the metric of health annotation is useful for evaluating the health of dependencies, and 2) the ripple effect of a vulnerability provides an easy method to identify potential risk in a dependency chain and 3) the summarizing mechanisms of the REM help reduce the size and complexity of the large dependency graphs, while focusing in specific aspects of the health of the dependency graph.

[1]  Katsuro Inoue,et al.  SoL Mantra: Visualizing Update Opportunities Based on Library Coexistence , 2017, 2017 IEEE Working Conference on Software Visualization (VISSOFT).

[2]  Katsuro Inoue,et al.  Do developers update their library dependencies? , 2017, Empirical Software Engineering.

[3]  Georgios Gousios,et al.  Structure and Evolution of Package Dependency Networks , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[4]  Stephen S. Yau,et al.  Ripple effect analysis of software maintenance , 1978, COMPSAC.

[5]  Daniel M. Germán Using Software Distributions to Understand the Relationship among Free and Open Source Software Projects , 2007, Fourth International Workshop on Mining Software Repositories (MSR'07:ICSE Workshops 2007).

[6]  Eleni Constantinou,et al.  On the Impact of Security Vulnerabilities in the npm Package Dependency Network , 2018, 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR).

[7]  Todd Gamblin,et al.  Preserving Command Line Workflow for a Package Management System Using ASCII DAG Visualization , 2019, IEEE Transactions on Visualization and Computer Graphics.

[8]  Eleni Constantinou,et al.  An Empirical Analysis of Technical Lag in npm Package Dependencies , 2018, ICSR.

[9]  Philippe Suter,et al.  A Look at the Dynamics of the JavaScript Package Ecosystem , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[10]  Rainer Koschke,et al.  The Dominance Tree in Visualizing Software Dependencies , 2005, 3rd IEEE International Workshop on Visualizing Software for Understanding and Analysis.

[11]  Tom Mens,et al.  An empirical comparison of dependency network evolution in seven software packaging ecosystems , 2017, Empirical Software Engineering.

[12]  Katsuro Inoue,et al.  Visualizing the Evolution of Systems and Their Library Dependencies , 2014, 2014 Second IEEE Working Conference on Software Visualization.

[13]  Alexandre Bergel,et al.  Evaluating a Visual Approach for Understanding JavaScript Source Code , 2020, 2020 IEEE/ACM 28th International Conference on Program Comprehension (ICPC).

[14]  Romain Robbes,et al.  How do developers react to API deprecation?: the case of a smalltalk ecosystem , 2012, SIGSOFT FSE.

[15]  Katsuro Inoue,et al.  A generalized model for visualizing library popularity, adoption, and diffusion within a software ecosystem , 2018, 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[16]  Daniel M. Germán,et al.  A Model to Understand the Building and Running Inter-Dependencies of Software , 2007, 14th Working Conference on Reverse Engineering (WCRE 2007).